Two companies face the same SOX audit. One produces clean evidence on request, walks through tested controls, and closes fieldwork in weeks. The other spends the final quarter scrambling to document processes that have never been written down.

The difference isn't budget or headcount. It's whether compliance is treated as a continuous operational discipline or a year-end sprint.

This guide covers what SOX compliance requires, how to build and test internal controls, and how to make your audit preparation operational rather than reactive.

‍

Key takeaways

Sections 302 and 404 drive most of the compliance work. Section 302 requires CEOs and CFOs to personally certify financial statements each quarter. Section 404 requires documented, tested internal controls over financial reporting — and for accelerated filers, an external auditor's attestation on top of that.

Materiality determines scope, and scope determines everything else. The risk assessment identifies which accounts and processes carry the highest risk of misstatement. That scoping decision shapes what gets controlled, tested, and documented before the auditor arrives.

How a deficiency gets classified determines whether it becomes a public disclosure. A control deficiency can usually be fixed quietly. A material weakness gets disclosed in the 10-K. The difference between the two often comes down to how early the issue was found.

The teams that pass audits cleanly don't treat SOX as a year-end project. Incomplete documentation, weak IT controls, and late-starting tests are behind most audit failures. Consistent results come from treating compliance as an operational discipline throughout the year, not a sprint that kicks off in Q4.

‍

What SOX compliance is and who it applies to

The Sarbanes-Oxley Act of 2002 is a U.S. federal law that sets financial reporting and internal control standards for publicly traded companies. Congress passed it after the Enron and WorldCom scandals showed how weak oversight could devastate investors, employees, and entire markets.

SOX covers all companies publicly traded on U.S. stock exchanges, their wholly owned subsidiaries, and international companies operating in the U.S. Executives who knowingly certify inaccurate financial statements face personal criminal liability. The law also created the PCAOB to oversee external auditors.

The compliance framework covers five areas: data security, access controls, internal controls over financial reporting, financial disclosure, and audit management. Each carries specific obligations across finance, IT, legal, and operations.

Read related article: What is internal audit software and why does it matter beyond GRC?

‍

The SOX requirements that actually drive compliance work

Section 302 (corporate responsibility for financial reports) requires the CEO and CFO to personally certify their financial statements. They must confirm the report contains no material misstatements, that internal controls have been evaluated in the preceding 90 days, and that any significant deficiencies are disclosed to the audit committee and external auditors.

Section 404 (management assessment of internal controls) is the most operationally demanding requirement. Management must include an Internal Control Report in annual filings assessing the effectiveness of ICFR. For accelerated filers, an external auditor must also attest to that assessment.

Section 409 (real-time issuer disclosures) requires companies to disclose material changes to their financial condition on an urgent basis, which demands controls that can surface those changes quickly.

Section 802 (criminal penalties for altering documents) makes it a federal crime to destroy, alter, or falsify records to obstruct an investigation. Penalties reach up to $5 million in fines and 20 years in prison. (Sarbanes-Oxley Act reference).

Section 906 (corporate responsibility for financial reports, criminal) adds criminal exposure on top of Section 302. CEOs and CFOs who wilfully certify reports they know to be inaccurate face the same penalties.

Section 806 (whistleblower protections) prohibits retaliation against employees who report suspected fraud or securities violations. Termination, demotion, and harassment all qualify as retaliation under the law. Companies need documented procedures for receiving and handling internal complaints, and staff need to know those procedures exist.

‍

How materiality determines your SOX audit scope

Materiality is the threshold that separates what auditors scrutinize from what they don't. It sets the boundary for which accounts and disclosures require tested controls, and which fall outside the scope.Get it wrong, and teams waste testing cycles on low-risk accounts while leaving the ones that matter underexamined.

Most companies set a quantitative threshold based on a percentage of net income, total assets, or revenue, typically around 5%. The number alone doesn't complete the picture. Qualitative factors matter too. An error in a small account can still be material if it affects a trend, masks a regulatory breach, or relates to a sensitive disclosure. Fraud risk adds another layer. Accounts susceptible to management override require heightened scrutiny regardless of size.

The scoping exercise should be revisited every year. System changes, acquisitions, new accounting standards, and shifts in business model all affect which accounts carry the most risk of misstatement.

‍

SOX internal controls: What they are and how to build them right

SOX internal controls are the policies, procedures, and mechanisms a company maintains to ensure accurate financial reporting and prevent fraud. Collectively known as Internal Controls over Financial Reporting (ICFR), they form the backbone of SOX 404 compliance. Auditors evaluate them to determine whether financial statements can be relied upon.

Most public companies structure their ICFR around the COSO framework, which defines five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. The SEC and PCAOB both recognize it as the standard for SOX compliance.

‍

IT general controls vs. application controls

IT general controls (ITGCs) cover access management, change management, computer operations, and program development. They establish the foundation that makes application-level controls reliable.

IT application controls (ITACs) enforce business rules at the transaction level within specific applications, including input validation, processing controls, and output controls. ITGCs protect the environment; ITACs protect individual transactions.

Read related article: How internal audit software and GRC platforms work together for compliance

‍

What counts as a control deficiency (and why classification matters)

Not all control failures carry the same weight. The classification of a deficiency determines how it gets reported and how urgently it needs to be fixed.

A control deficiency exists when a control is not designed to prevent or detect misstatements, or when it exists on paper but doesn't operate as intended.

A significant deficiency is more serious. It represents a deficiency, or combination of deficiencies, that is important enough to warrant attention from those responsible for financial oversight, even if it doesn't rise to the level of a material weakness.

A material weakness is the most severe classification. It indicates a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. Material weaknesses must be disclosed publicly in the company's 10-K filing, which makes them consequential well beyond the internal audit function.

Early identification matters. A deficiency found in Q1 can usually be remediated before the external auditor arrives. The same deficiency found in Q4 becomes a disclosure problem.

‍

How the SOX audit process actually works: Preparation, testing, and what auditors look for

A SOX audit evaluates whether a company's internal controls over financial reporting are designed effectively and operating as intended. It involves both internal testing by management and an external audit by an independent accounting firm. For accelerated filers, the external auditor must also issue a separate opinion on ICFR effectiveness under SOX Section 404(b).

The audit lifecycle follows a predictable sequence. Teams that build their preparation around it consistently produce cleaner results.

Risk assessment comes first. Management identifies which financial statement line items and disclosures carry the highest risk of material misstatement, determining which controls need to be tested. The assessment should account for recent system changes, acquisitions, reorganizations, and new accounting standards.

Control documentation follows. Every control needs a clear description of what it does, who owns it, how frequently it operates, and what evidence it produces. Controls without documentation are effectively untested — a gap auditors will flag immediately.

Testing covers two methods: walkthroughs, which trace a transaction through the entire process to confirm a control operates as described, and sampling, which selects a representative set of transactions to verify the control was applied consistently. Testing should begin at least 90 to 120 days before year-end to allow time for remediation.

Remediation addresses deficiencies found during testing. A control deficiency means a control is designed incorrectly or is not operating effectively. Significant deficiencies are more serious; material weaknesses must be disclosed publicly in the 10-K. Mock audits conducted at least 90 days before year-end surface most issues early enough to fix them before the external auditor arrives.

External audit fieldwork is the final phase. The auditor reviews management's testing, runs their own independent tests, and issues an opinion on ICFR effectiveness. Teams that maintain structured evidence collection throughout the year spend far less time scrambling to assemble audit packages when fieldwork begins.

‍

Designing SOX controls that support flow, not hinder execution

SOX controls work best when they're embedded in the workflow. A control that forces someone to leave their primary system, open a spreadsheet, and email a reviewer for confirmation gets skipped when things get busy.

Segregation of duties ensures no single person can initiate, authorize, and record a financial transaction. In practice, the person who creates a purchase order cannot also approve the payment. Automation makes this enforceable rather than aspirational.

Automated vs. manual controls. KPMG's 2025 SOX Survey found automated controls made up only 17% of all SOX controls in FY24, down from 21% in FY22, while the number of in-scope systems doubled. Manual controls are harder to test, more prone to inconsistency, and more expensive to maintain. Prioritize converting them to automated ones, especially in high-volume areas like access reviews, reconciliations, and approval routing.

‍

A practical SOX compliance checklist for 2026

The SOX compliance checklist translates SOX requirements into operational steps your team can act on throughout the year. It works best when items are addressed continuously rather than in a single pre-audit push.

Risk assessment and scoping. Update your risk assessment annually to reflect system changes, acquisitions, process reengineering, and new regulations. Identify material accounts and significant processes. Map each process to the controls that mitigate its risks. Document your scoping rationale so auditors can evaluate your judgment.

Control rationalization. Review your control inventory against actual risk. KPMG's 2025 SOX Survey found the average key control count grew to 546. More controls do not mean better risk coverage. Eliminate redundant controls, consolidate where possible, and prioritize converting manual ones to automated in high-risk areas.

IT control review. Validate that ITGCs covering access management, change management, and operations are current and operating effectively. Confirm that application controls match actual system configurations. Review user access lists quarterly and remove terminated or transferred employees promptly. SOX compliance software can centralise evidence, automate access reviews, and flag exceptions in real time.

Evidence collection workflows. Define how evidence is requested, submitted, reviewed, and stored for each control. Assign clear ownership for every evidence request. Use structured workflows rather than email to maintain an audit trail with timestamps, version history, and reviewer attribution.

Testing procedures. Document your testing methodology, including sample sizes, selection criteria, and testing timelines. Conduct walkthroughs for each significant process at least annually. Schedule testing to begin 90 to 120 days before year-end. Perform mock audits to surface documentation gaps and control weaknesses before the external audit.

Documentation standards. Maintain control descriptions that include the objective, frequency, responsible party, and evidence produced. Store documentation in a centralised location accessible to auditors. Ensure version control so auditors can see the current state of each control.

Remediation tracking. Log every deficiency with its severity, root cause, remediation plan, owner, and target completion date. Track progress in real time. Verify that remediated controls are retested before the external audit.

Read related article: How to automate internal audit and compliance processes in 2026

‍

The most common SOX audit failures (and how to avoid them)

Most SOX audit failures trace back to the same set of problems. Recognizing them early is the difference between a clean opinion and a last-minute remediation scramble.

Incomplete documentation is the most common deficiency auditors flag. A control that exists but can't be evidenced is treated as a control that doesn't exist. Centralized documentation with version control and clear ownership is the fix. Policies, narratives, and evidence should be organized and accessible year-round, not assembled in the weeks before fieldwork.

Weak IT controls create systemic risk. Inadequate access management, poor change controls, and gaps in audit logging don't just affect individual transactions. They undermine the reliability of every control that depends on the systems they govern.

Inadequate testing frequency is a timing problem. Organizations that test controls once a year, immediately before the audit, have no runway to remediate what they find. Quarterly testing of critical controls surfaces issues early enough to address them properly.

Resource constraints are real, particularly for teams managing Section 404 compliance without dedicated headcount. Co-sourcing arrangements that bring in external expertise during peak periods are worth considering. SOX compliance software can also close the gap, automating the evidence collection, testing, and tracking work that otherwise falls on internal teams.

SOX compliance software can also close the gap, automating the evidence collection, testing, and tracking work that otherwise falls on internal teams.

‍

How Moxo orchestrates SOX compliance workflows

SOX compliance is a coordination problem before anything else. Evidence has to arrive from across the organization, controls need documented approval paths, and every action needs to be attributable and timestamped. When that runs on email and shared drives, ownership blurs fast.

Moxo structures the coordination around your controls. Evidence requests become structured workflow steps tied to specific controls and audit assertions. The Agent Foundry handles preparation and validation before a reviewer ever opens a step, flagging incomplete submissions for rework automatically, never auto-approving on a failed check.

Approvals enforce segregation of duties by design. Steps are assigned to roles, not individuals, so the person initiating a transaction cannot also approve it. Every approval is captured with actor identity, timestamp, and full event detail across 65+ action types, filterable and exportable to CSV or JSON.

When a control lapses, a linked compliance workflow starts automatically. Rejected submissions loop back for rework without breaking the process. By the time external fieldwork begins, your evidence is already organized, reviewed, and ready to export.

See what running your SOX compliance process in Moxo looks like. Get started for free

‍

How the best SOX teams run compliance year-round

SOX compliance doesn't have a start date or an end date. The companies that consistently pass audits run it as a continuous operational process — evidence collection, control testing, and remediation happen as part of daily work, not in a sprint before the audit.

The challenge is real and growing. In-scope systems have doubled. Control counts are rising. Manual processes still dominate. Staying efficient in 2026 requires structured workflows, automated evidence collection, and clear accountability at every handoff.

Moxo provides that infrastructure — coordinating the cross-functional work SOX demands while keeping humans responsible for the decisions that matter.

Your compliance process, built and running in Moxo. Get started for free

‍

FAQ

What is SOX compliance?

SOX compliance refers to meeting the requirements of the Sarbanes-Oxley Act of 2002, a U.S. federal law that mandates financial reporting standards and internal control requirements for publicly traded companies. Compliance involves maintaining internal controls over financial reporting (ICFR), undergoing annual external audits, and ensuring executive certification of financial statements.

What are the requirements for SOX compliance?

The core SOX requirements include CEO and CFO certification of financial reports (Section 302), management assessment of internal controls with external auditor attestation (Section 404), real-time disclosure of material changes (Section 409), and protection of financial records from destruction or alteration (Section 802). Companies must also maintain whistleblower protections and auditor independence.

What is a SOX audit?

A SOX audit evaluates whether a public company's internal controls over financial reporting are designed effectively and operating as intended. It includes internal testing by management and an independent external audit. For accelerated filers, the external auditor issues a separate opinion on ICFR effectiveness under Section 404(b).

Who is responsible for SOX compliance?

The CEO and CFO bear ultimate responsibility. They must personally certify the accuracy of financial statements and the effectiveness of internal controls. In practice, SOX compliance involves cross-functional teams including finance, IT, internal audit, legal, and operations. The audit committee of the board of directors oversees the external audit process.

What are SOX internal controls?

SOX internal controls are the policies, procedures, and mechanisms that ensure financial reporting accuracy and prevent fraud. They include IT general controls (access management, change management), application controls (transaction-level validations), and process-level controls (segregation of duties, authorization workflows). The COSO framework is the most commonly used standard for designing ICFR.

What is the penalty for SOX non-compliance?

SOX penalties are severe. Under Section 906, CEOs and CFOs who willfully certify inaccurate financial reports can face fines up to $5 million and imprisonment of up to 20 years. Companies may also face SEC enforcement actions, mandatory restatement of financial statements, delisting from stock exchanges, and invalidation of directors' and officers' insurance policies.

‍